Latest Information Security news from ireland and around the world

Mystery Company Offers $250,000 Bounty for VM Escape Vulnerabilities

An unnamed company will start in an eight-week, invite-only bug bounty program in September that offers a $250,000 payout for virtual-machine escape vulnerabilities tied to an unreleased product.

Bugcrowd announced the program today, and said the high-priced bounty is the largest advertised bounty on a third-party platform.

Related Posts

August 7, 2017 , 1:32 pm

July 31, 2017 , 1:00 pm

July 26, 2017 , 9:00 am

“This top-secret program is a hybrid approach. It allows the organization to recruit more top talent—security experts that specialize in the company’s unique attack surface,” said Casey Ellis, CEO of Bugcrowd.

The so called “Super-Secret” Bugcrowd bounty program is invite-only and requires participating researchers to submit “a report of their efforts, what was attempted, ideas for potential compromise, and any other relevant information (regardless of whether or not they achieved the stated objectives),” according to the company. The top five reports that fail to find a bug, however demonstrate effort and expertise, will be rewarded $10,000, as a level of compensation for work done, according to the company.

The program lasts eight weeks, starting early September and lasting through October. According to the bounty website, 27 participants have already joined the program.

The top $250,000 bounty paid out by the masked company is for “guest escape vulnerabilities that lead to code execution in the virtualization platform itself” and a “guest escape vulnerabilities that lead to code execution in another instance.”

The same program pays $100,000 for bugs tied to vulnerabilities that leak memory contents and code from the virtualization platform. In addition, a $25,000 bounty is paid to vulnerabilities related to unintended network access to control-plane infrastructure issues.

“High rewards like this speak to the growing momentum behind bug bounties and the maturity of the (not so niche) market,” Ellis said.

According to HackerOne, a Bugcrowd competitor, its average dollar payouts to participants are up 16 percent from 2015’s average of $1,624. The highest bug bounty currently offered by HackerOne was $50,000 for critical vulnerabilities.